HTB Writeup - Netmon

HTB Writeup - Netmon
NoBlameNetwork June 30, 2019 0 views

Netmon is an "Easy" difficulty Machine on hackthebox.eu


First Step: Nmap Scan of the Machine
nmap -n -v -Pn -p- -A --reason -oN netmon-10.10.10.152.txt 10.10.10.152

2019 05 23 14 29 59

Pretty clearly a Windows Machine.
Primary areas of opportunity:
FTP/21, HTTP/80, SMB/445
21/tcp    open  ftp          syn-ack ttl 127 Microsoft ftpd
80/tcp    open  http         syn-ack ttl 127 Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
135/tcp   open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp  open  http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open  http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
Next, I checked out port 80 first to see what kind of application is running on here.
PRTG, which is a network monitoring tool.
2019 05 23 14 40 44


Next i hopped into the ftp server using anonymous credentials
2019 05 22 19 33 51 0034

In the file structure i ran into a lot of "Access is Denied"
2019 05 23 19 16 46

Two users here were worth mentioning: Administrator and Public
2019 05 22 19 34 07 0032

Inside of C:\Users\Public there is a folder called user.txt
2019 05 22 19 34 17 0031

I copied this file over to my Kali system
2019 05 22 19 34 53 0030

The user.txt file had the user flag in it
Users

So I checked around for some known issues with PRTG, and while some of the CVEs were interesting they all were exploits that required read only access at a minimum.

I found this article from the vendor directly. 
https://www.paessler.com/about-prtg-17-4-35-through-18-1-37

2019 05 22 21 42 23 0002
The important text in the red box.
  • An internal PRTG Network Monitor error caused some Active Directory integrated PRTG user account passwords and some other account passwords from the PRTG System Administration to be stored to the configuration file PRTG Configuration.dat in plain text, instead of being encrypted. We have fixed this issue as of PRTG version 18.1.38
I don't know where this file exists, luckily Paessler has a document telling me where to find it:
https://kb.paessler.com/en/topic/463-how-and-where-does-prtg-store-its-data
It says the document is in the Data Directory:2019 05 23 19 40 44

The ProgramData folder in windows is the default location, so we'll start there:
2019 05 23 19 37 22

The ProgramData folder is hidden so you need to use 'ls -al' to show hidden folders
2019 05 22 19 35 24 0028

Into the Paessler Folder
2019 05 22 19 35 52 0027

Under PRTG Network Monitor
2019 05 22 19 36 06 0026

Found it! and some archive folders
2019 05 22 19 40 23 0022


I grabbed all 3 of thesesfiles
2019 05 22 19 41 01 0020

I looked through each of them for prtgadmin, which is the default username for PRTG.
2019 05 23 19 48 01

Then i opened it in nano and did a search for prtgadmin to find "PrTg@admin2018" as the old plain text password.
2019 05 22 20 09 10 2

I tried to log in using these credentials and it didn't work
2019 05 22 20 13 05 0017

I changed the password from "PrTg@dmin2018" to "PrTg@dmin2019" since the .old file was saved back in 2018 so is obviously referencing the year, and this gets me in.
2019 05 22 20 14 08


I found a CVE referring to a PRTG System Admin being able to perform some OS command injections:
https://www.cvedetails.com/cve/CVE-2018-9276/
2019 05 22 21 48 29 0001

A google search on this specific CVE gave me a site with more specific steps on how to perform this
https://packetstormsecurity.com/files/148334/PRTG-Command-Injection.html
2019 05 22 21 49 15 0000

The exploit is found in the Demo Notification script in the PRTG Web App
  • I (Josh Berry) discovered an authenticated command injection vulnerability in the Demo PowerShell notification script provided by versions of PRIG Network Monitor prior to 18.2.39. The PowerShell notifications demo script on versions of the application prior to 18.2.39 do not properly sanitize input in the Parameter field. The web application provides a security control around running executables/scripts as part of a notification, but the demo PowerShell script contains a command injection vulnerability.
He even provides a syntax example for us
  • As a proof of concept, the following value can be passed in the Parameter field, resulting in the creation of a test account named pentest:
    Test.txt;net user pentest p3nT3st! /add
Get into the Notification Section: 
Setup >> Account Settings >> Notifications
2019 05 22 20 15 38

Scroll down to Execute Program, and choose the demo PowerShell option: .ps1
Set the following Parameter:
meh.txt;tree /F C:\Users\Administrator > C:\Users\Public\kpeppers_search.txt

This
Click Edit on your newly created Alert, and trigger a test alert by clicking the bell
2019 05 22 21 25 49 0007
This will move your command output into the C:\Users\Public Folder.
I grabbed the file 
Tree

This file prints the hierarchy and shows a root.txt folder on the desktop
2019 05 23 20 54 12


Let's grab that file: in the same rule set the following Parameter:
meh.txt;Copy-Item "C:\Users\Administrator\Desktop\root.txt" -Destination "C:\Users\Public\kpeppers_Admin.txt" -Recurse


Admin

I grabbed the file and got the Admin Flag:
Admin Flag